Content-Security-Policy

by nickrickard, Thursday, May 11, 2023, 09:54 (518 days ago)

I'm sharing this to get feedback if I can improve it or to help others. I didn't see anything about it in the documentation. From a bit of testing, I think the minimal Content-Security-Policy header permissions required on the server to allow selfoss to run are:

add_header Content-Security-Policy "default-src 'none'; base-uri 'self'; connect-src 'self'; font-src 'self'; img-src 'self'; object-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; upgrade-insecure-requests; block-all-mixed-content; frame-ancestors 'none';" always;

(This is nginx syntax but you'll get the idea for Apache.)

Any thoughts, please? Maybe to add to the 'nginx configuration' wiki if it looks okay?


Complete thread:

 RSS Feed of thread

powered by my little forum